== GSM decoding with Nokia 3310 phone ==

Gsmdecode is used to decode the gsm messages from the gammu trace log and a Noki
a DCT3 mobile phone. Nokia used a simple remote logging facility for debugging t
heir DCT3 firmwares remotely, but apparently forgot to remove this when going in
to production. So you can enable it back with a special software described below
.
'''Hardware needed'''
* mobile phone Nokia 3310 (900/1800mhz) or 3390 (1900mhz)
* [http://www.cellphoneshop.net/usbdatcabfor.html F-BUS and M2BUS Auto switchin
g cable]
[[Image(nokia3310_nk-33.png)]]
'''Software needed'''
In Linux (for instance Ubuntu) we need to install gammu (from console):
{{{
sudo apt-get install gammu
sudo apt-get install dialog
}}}
Then we need to setup gammu:
{{{
gammu-config
}}}
Sometimes gammu-config doesn't work correctly and switches ''model'' and ''conne
ction'', so we must edit ~/.gammurc file:
{{{
nano ~/.gammurc
}}}
File must have the following content:
{{{
[gammu]
port = /dev/ttyS0
model = 6110
connection = mbus
synchronizetime = yes
logfile =
logformat = nothing
use_locking = yes
gammuloc =
}}}
Then we create subdirectory for data files...
{{{
mkdir ~/GSM
cd ~/GSM
}}}
...and either download and install Wireshark 1.1.2 or later [http://www.wireshar
k.org]
...or alternatively use gsmdecode; download source code of [http://wiki.thc.org/
gsm#head-bc727181581bac3b29b29f33fb1e14150ba12b82 gsmdecode-0.7bis.tar.gz] ([att
achment:gsmdecode-0.7bis.tar.gz direct download here]), extract it and compile i
t:
{{{
cd gsmdecode-0.7bis/
sudo apt-get install gcc g++ cpp gpp make automake
./configure
make all
}}}
According to THC wiki, ''gsmdecode'' has:
* SIM Toolkit support
* Concatenated SMS supported (e.g. sms longer than 140 octets).
* Service request support (e.g. *#100# requests).
* Other layer 3 support (long (23+ octet) RR messages, ...)
Now we need file ''nhm5_587.txt'' which helps us decode trace types and save it
to GSM subdirectory. File was found here:
* [http://arch.cihar.com/[email protected]/gammu--upstream--0/patch-2
9/gammu--upstream--0--patch-29.patches.tar.gz arch.cihar.com in tar.gz datafile]
* we need toopen datafile and find the following directory: /gammu upstream 0 patch-2
9.patches/new-files-archive/gammu/depend/dct3trac/
* there is a file ''nhm5_587.txt'', which needs to be saved into GSM subdirecto
ry.
However, you cah simply download file here:
* [attachment:nhm5_587.txt nhm5_587.txt]
'''How to connect the hardware'''
We need to open Nokia mobile phone, take out the battery, insert SIM card, inser
t battery into cable and then connect cable to the mobile phone.
The other part of the cable should be connected to computer (COM port - /dev/tty
S0), or we use USB to serial converter for instance USB-serial DB09 Aten (then w
e have emulated serial port under Linux - /dev/ttyUSB0).
Now we can switch on the mobile phone and start recording trace log.
[[Image(nokia_connect.png)]]

'''Logging the ''tracelog'' '''

''Please note that this step could be leggaly problematic, so I did not run the
following code, however, there are [http://wiki.thc.org/gsm/debugtrace some trac
es available on the internet]:''
{{{
cd ~/GSM
gammu --nokiadebug nhm5_587.txt v20-25,v18-19
}}}

'''Viewing the ''tracelog'' in Wireshark '''

The files can be loaded directly by Wireshark 1.1.2 or later:
{{{
wireshark ~/GSM/out.xml
}}}
'''Decoding the ''tracelog'' '''
Simple decoding (''output is printed on screen''):
{{{
~/GSM/gsmdecode-0.7bis/src/gsmdecode -x <~/GSM/out.xml
}}}
If you are interested in the [http://en.wikipedia.org/wiki/Broadcast_Control_Cha
nnel BCCH messages] (BCCH - Broadcast Control Channel carries a repeating patter
n of system information messages that describe the identity, configuration and a
vailable features of the [http://en.wikipedia.org/wiki/Base_Transceiver_Station
BTS] (Base transceiver station), run ''gsmdecode'' with the '''-i command'''. Th
ese messages also provide a list of ARFCN's used by neighboring BTS's. Printed o
ut is BBis LAPDm frame format, Immediate Assignment, etc.
{{{
~/GSM/gsmdecode-0.7bis/src/gsmdecode -i <~/GSM/out.xml
}}}

'''List of "catched" IMSI numbers with frequency of IMSI number in tracelog:'''

''Please note that this is theory only, because I did not run the tracelog comma
nd:''
{{{
~/GSM/gsmdecode-0.7bis/src/gsmdecode -x <~/GSM/out.xml | grep 7/odd | awk '{ pri
nt $5 }' | sort | uniq -c
}}}
'''Someone could do tracelog while driwing (''wardriving'') and collect Local Ar
ea Codea which could be printed out:'''
''Please note that this is theory only, because I did not run the tracelog comma
nd:''
{{{
~/GSM/gsmdecode-0.7bis/src/gsmdecode -x <out.xml | grep "Local Area Code" | awk
'{ print $3 }'
}}}

'''Possible bugs'''
1) The 3390b was not supported in gammu until today. The nokiadebug command woul
d quit without an error. [https://bugs.cihar.com/view.php?id=982 See this bug]
2) I'm currently receiving a segmentation fault (gammu 1.25.92) after making pho
ne calls. If I add a "break;" after case 0x22 and case 0x23 in gammu/depend/noki
a/dct3trac/wmx.c it is possible to prevent the crash from happening. It seems to
be related to decoding SIM commands. [https://bugs.cihar.com/view.php?id=983 He
re is the bug report]
'''Sample traces'''
''See sample traces in XML format in an attachments below. Sample traces are fro
m old website.''
* [attachment:call_1525.xml call_1525.xml] - mobile phone called the number 152
5 and stayed connected for 2-3 seconds. The xml file contains uplink and downlin
k traffic as sniffed by default DCT3 tracer.
* [attachment:call_init.xml call_init.xml] - call init
* [attachment:sms.xml sms.xml] - SMS trace log
* [attachment:sms2.xml sms2.xml] - SMS containing "abc"
* [http://wiki.thc.org/gsm/debugtrace other traces] - from old webpage